Question

In the last minutes, there were submitted more than 1000 spam tickets from different addresses through the web form. How do I make it stop?

Answer

Firstly, it is important to make sure the tickets are actually coming from your contact form. To do that, you can check the events of the ticket.

To view ticket events

In a ticket, click Conversations under the active comment area, then select Events.

If a ticket is submitted through a channel other than the web form, such as Twitter or email, details about the channel appear. Therefore, you are looking for something like this:

Once you are assured the tickets come from your web form, you can enable the Require CAPTCHA setting. This requires users who are not signed in to complete a verification test before they can submit a ticket.

To enable Require CAPTCHA

Click the Admin icon () in the sidebar, then select Settings > Customers.

If your Zendesk account has been spammed and you suddenly need to bulk delete these spam tickets, instead of manually deleting them, there are different ways to do it and they are all outlined in the article How can I bulk delete spam tickets in Zendesk?.

50 Comments

We have verified that the "Require CAPTCHA" is enabled but yesterday we suddenly started getting spam attacks in spite of this from multiple sources. All show the following: "not signed in when comment was submitted" and the tickets were all created via our Web Widget. (see second and third screen shots below)

We never had this issue before.

I see in the second point of this article it states the following:

"If a ticket is submitted through a channel other than the web form, such as Twitter or email, details about the channel appear."

This is the case for us (see first screen shot below). How do we fix this to block these spam tickets from getting created?

I'm an Advocate here at Zendesk. Thanks for mentioning this! I've gone ahead and created a ticket for you so that we may review this problem together. Please be on the lookout for ticket # 4649445 from me.

We have the same issue as Corrin, and it started this last week. We've received dozens of emails with similar content and identical conditions. I've marked everyone of them as spam, but they continue to flow in.

We use a contact form on our site, and inquiries that come through it are identified as coming from the customer email, not "by web service."

We are also getting the same issue. Started on Thursday/Friday. We have been marking as spam as well but still coming in. They are coming in from contact form on our site just like the other examples the others have mentioned. The same instagram related spam.

I can confirm that this is happening to our Support Desk as well. All of them are Instagram spam. We do have Require CAPTCHA checked but they still get through. We've gotten ~30 of these spam emails in the last 3 days from different users addressed to random names. Please do something about this.

We are suffering the same - the "Instagram" spam. As with many of the above, the problem occurs with the web widget, which is weak in terms of security (e.g., ignores the blacklist). There are no tools within zendesk to automatically mark tickets as spam, based on user-chosen criteria, either.

The spam emails we get all have the tag web_widget. We're not even sure what page they're using to send in these tickets. We've tried testing using our contact form and this does not add the web_widget tag. Under Admin > Widget, we aren't even using it and is disabled.

Following the instructions to add the condition and remove the placeholders did not resolve the issue as we got another email a few minutes after making these changes.

We are experiencing the same Instagram spam and are seeing the same web_widget tag behavior that Mike mentioned. I tested submitting a ticket and saw the captcha icon, but was not prompted to check a box for verification that I am not a robot.

The spam messages have been flowing in despite following the emailed instructions.

I wanted to share the recommendations we have been making to customers within the tickets created from comments on this thread. To combat spam, we recommend removing placeholders from your “Notify requester of received request” trigger. If you have customized triggers, you’ll need to remove any of the placeholders that pass the comment or title content of the tickets to the end-user at ticket creation.

Making these recommended changes will not immediately stop the spam, but it does stop the spam from being passed. The spam will stop over time. Please submit a ticket to us if you have any questions.support@zendesk.com

Here’s an example of the changes you’ll need to make. In this example, I’m using the “Notify requester of received request” trigger:

Add this condition under the ALL conditions:

Current User, is, (End-user)

In the Actions section, look at the “Email subject” and the “Email body” fields. Remove these two placeholders:

{{ticket.title}}

{{ticket.comments_formatted}}

Removing the placeholders will prevent spammy notification emails from being sent out and will result in many fewer spammy tickets ending up in your account. This removal effectively stops the spam from being forwarded to the spammer’s target (the requester), though it may take a while for the messages to stop.

With these changes, the need for the secondary trigger comes into play when you or your agents are creating tickets on behalf of requesters (sending out proactive emails, or any scenario where you need to send out a message on the creation of the ticket). When an agent creates the ticket, there is no risk to sending out the initial message. Creating this trigger will enable your end users to see the content of the agent-created ticket.

Here are the needed conditions for this trigger, which we’ll call "Notify requester of agent-created request (Proactive Ticket)”:

ALL conditions:

Ticket, is, Created

Status, is not, Solved

Privacy, is, Ticket has public comments

Current user, is not, (end-user)

Actions:

Email user, (requester)

Email Subject:

[Request Received] {{ticket.subject}}

Email Body:

A request {{ticket.id}} has been created by our staff!

To add additional comments, please reply to this email.

{{ticket.comments_formatted}}

With these changes made, your account will no longer be an attractive target for spammers. After removing the placeholders, it may take a bit of time for the spammer to notice their content is no longer being passed, but removing the placeholders removes the motivation to spam your account.

For more information on spam prevention on other channels, see our resources here.